Configuring encryption of SNMP connections
December 13, 2023
ID 184759
Third-party programs can access data sent over SNMP or replace those data with their own data. To ensure secure communication over SNMP, we recommend to configure encryption of SNMP connections.
Prior to configuration, make sure that the snmpd and snmptrapd services are installed on all servers that have Kaspersky Web Traffic Security installed.
To configure encryption of SNMP connections:
- Add the following line to the /etc/snmp/snmpd.conf file:
view systemview included .1 - Receive an EngineID, which is necessary to process SNMP traps. To do so, on the Master server, run the command:
snmpget -v2c -cpublic localhost SNMP-FRAMEWORK-MIB::snmpEngineID.0 2>/dev/null | sed -ne 's/ //g; s/.*:/0x/p' - Configure the snmpd service on each server that is part of the cluster. To do so:
- Stop the snmpd service. To do so, execute the command:
service snmpd stop - Create a new user. To do so, execute the command:
net-snmp-create-v3-user -ro -a SHA -A <password> -x <password> -X AES kwts-snmp-user - Create the /etc/snmp/snmpd.conf configuration file with the following content:
# accept KWTS statistics over unix socketagentXSocket unix:/var/run/agentx-master.socketagentXPerms 770 770 kluser klusersmaster agentx# accept incoming SNMP requests over UDP and TCPagentAddress udp:localhost:161,tcp:localhost:161rouser kwts-snmp-user priv .1.3.6.1# comment the following line if you don't need SNMP traps forwarding over SNMPv3 connectiontrapsess -e <EngineID> -v3 -l authPriv -u kwts-snmp-user -a SHA -A <password> -x AES -X <password> udp:localhost:162 - Add the following strings to the configuration file /etc/snmp/snmp.conf:
mibdirs +/opt/kaspersky/kwts/share/snmp-mibs/mibs all - Start the snmpd service. To do so, execute the command:
service snmpd start - Check the SNMP connection. To do so, run the following commands:
snmpwalk -mALL -v3 -l authPriv -u kwts-snmp-user -a SHA -A <password> -x AES -X <password> udp:localhost:161 .1.3.6.1.4.1.23668snmpget -v3 -l authPriv -u kwts-snmp-user -a SHA -A <password> -x AES -X <password> udp:localhost:161 .1.3.6.1.4.1.23668.2022.2.8.1.0
- Stop the snmpd service. To do so, execute the command:
- Configure the snmptrapd service on the server where you want to receive SNMP traps. To do so:
- Stop the snmptrapd service. To do so, execute the command:
service snmptrapd stop - Depending on your operating system, open the following configuration file for editing:
- Ubuntu or Debian.
/var/lib/snmpd/snmptrapd.conf
- CentOS, SUSE Linux Enterprise Server, ALT Server, or Red Hat Enterprise Linux.
/var/lib/net-snmp/snmptrapd.conf
If a configuration file does not exist in the specified directory, create it.
- Ubuntu or Debian.
- Add the following line to the configuration file:
createUser -e <EngineID> kwts-snmp-user SHA "<password>" AES "<password>" - Create the /etc/snmp/snmptrapd.conf configuration file with the following content:
snmpTrapdAddr udp:<IP-address>:162,tcp:127.0.0.1:162authUser log kwts-snmp-user privdisableAuthorization noAs the
<IP-address>, specify the IP address that is used by the snmptrapd service to receive network connections. - Start the snmptrapd service. To do so, execute the command:
service snmptrapd start - Check the SNMP connection with the following command:
snmptrap -e <EngineID> -v3 -l authPriv -u kwts-snmp-user -a SHA -A <password> -x AES -X <password> udp:localhost:162 0 .1.3.6.1.4.1.23668.2022.1.411
- Stop the snmptrapd service. To do so, execute the command:
Encryption of SNMP connections is configured.
